Re: Another New SPAM Type

Corey_ironport · ‎05-16-2006

I've been getting a lot of calls on these lately. Why isn't Brightmail catching this stuff?

-S'ensationall revoolution in m'edicine!

-E'n'l'a'r'g'e your p''enis up to 10 cm or up to 4 inches!

-It's herbal solution what hasn't side effect, but has 100% guaranted results!

-Don't lose your chance and but know wihtout doubts, you will be impressed with results!

Clisk here: Link Removed for Security Reasons

There's some garbage words at the bottom, but this seems like your average, run-of-the-mill SPAM that should EASILY be blocked by Brightmail.

shannon.hagan · ‎05-16-2006

In 19 hours, brightmail marked as spam positive 27,540 of these for us; however, I do know some are still getting through.

As a side note, these people registered at least 1,212 domains that we know about - yesterday most of them resolved to www.veritas-productions.com now some of the same ones resolve to www.cheapmoresize.com.

I'll give them credit - they did spend money to do this - registering that many domains takes time and money.

A message filter that should do you is:
drop_enlargement: if (body-size <= 10240) and (body-contains("(?i)clisk here"))
{
drop();
}

And if your users can't spell click - darn.

tminchin_ironport · ‎05-17-2006

I was cross with Brightmail on this one as it should have been dead easy for them to detect (despite the URL).

They did their homework (the spammers) on this one as it attacked heaps of DLs that were only displayed in closed group tender sites etc.

Donald Nash · ‎05-17-2006

I'll give them credit - they did spend money to do this - registering that many domains takes time and money.

Much of this can be automated, and the rest farmed out to cheap labor. And don't forget the old, "I'll show you some free porn if you solve this CAPTCHA for me," trick. As for money, well, the big-league spammers have that in abundance. It's all about return on investment.